October 18, 2021, was a tricky day for the ransomware industry. First, the gang that ran the REvil ransomware had its servers compromised, and then three individuals with key roles changed jobs.
That version of history was told today by Juan Antonio Velasco – a cybersecurity analyst at Spanish financial services giant Santander Group. Speaking at CyberCrimeCon 21, an event convened by threat-hunting and security software company Group-IB, Velasco’s talk tracked the recent career moves of four ransomware actors named Orange, MRT, Kajit and 999.
All have been active on various crime forums for some time. Orange served as the main administrator on a Russia-centric forum called Ramp. He or she reported details of the ransomware gang Babuk’s activities after the group infamously infected The Metropolitan Police Department of Washington DC in April 2021.
999 was Ramp’s forum moderator. Kajit also performed some moderation duties and was active on rival forums such as XXX.is and exploit.in.
They all changed jobs on October 18. Orange, MRT, and 999 decided to go private, while Kajit was named the admin of Ramp. Velasco’s analysis of traffic on crime forums suggests he or she now has a line of contact to the masters of the REvil ransomware once enjoyed by Orange. Kajit has also launched a redesign of Ramp.
Ramp has recently started to court Chinese actors, in addition to its usual Russian-and-English-speaking clientele. Velasco was unable to explain why that’s happened, but thought the increasing interaction between Russian and Chinese actors was notable.
He also noted that October 18 is the day REvil’s servers went offline – but didn’t explicitly link the change of gigs to the (possible) demise of the (probably) Russian gang.
The researcher discussed the job moves in the context of his probes of how ransomware groups operate an increasingly sophisticated and diverse supply chain. Velasco said labor is now divided…